sales[ ]midnightblue[ ]nl PGP (0x9035856DF1D41F73) Overview This blogpost is a follow-up topart 1, describing the destructive bricking TTPs used on December 29th of 2025 in a series of coordinated cyber attacks against a number of targets connected to Polands electric grid.This incident involved a TTP which we have been warning about for a long time, namely bricking critical OT devices as an attack amplification strategy and included exploitation of a variant ofCVE-2024-8036which was discovered by Midnight Blue a few years ago. While the previous blogpost discussed the Polish incident and presented a technical taxonomy of embedded device bricking TTPs, this blogpost will investigate how real and widespread this risk actually is in OT environments by looking at other real-world incidents as well as device security posture.We will also argue why we think we will see more "commodity embedded wiper attacks" in the future and why standards compliance such as IEC 62443 will not save OT defenders here. Destructive TTPs such as wiping or even bricking are not novel in the slightest. Already in the late '80s, viruses likeLamer Exterminatorfor the Amiga orFestering Hatefor the Apple II had destructive payloads that involved wiping storage media data blocks. The infamousCIH virusfrom 1998 took things a step further by not only overwriting a hard drive's partition table but also attempting to flash the BIOS and rewrite early boot routines with invalid code, effectively bricking its targets until BIOS flash chips were reprogrammed or replaced. ‍ Likewise whileMiraiis typically credited with popularizing IoT/embedded malware in 2016,Psyb0twas already widely infecting routers in 2009 and the leakedNSAAdvanced Network Technology(ANT) catalogfrom 2008 shows a myriad of implants for routers, firewalls, BIOSes, satellite phones and hard drives, parts of which would become publicly available with the Shadow Brokers leak from 2016 [1,2]. Similar capabilities against routers and switches held in parallel by the CIA were revealed in the 2017Vault 7 leakswhile Chinese and Russian actors have developed strong capabilities for network equipment and IoT, building up massiveOperational Relay Box(ORB) networksover the past decade. TheBrickerBotmalware of 2017 was one of the first large-scale instances combining these aspects: destructive TTPs applied by embedded device malware. BrickerBot destroyed more than 10 million IoT devices by writing random data to various block devices supposedly in an attempt to prevent them from getting added to the Mirai botnet spreading like wildfire at the time. With that in mind, let's take a look at some high-profile cyber-attacks against OT environments where the bricking of embedded devices played a role. The BlackEnergy attack [1,2] by Russian state-sponsored hackers on dozens of substations of 3 different Ukrainian DSOs left over 230.000 people without power for 3 to 6 hours. During this incident attackers manually opened circuit breakers after HMI takover, wiped SCADA servers using KillDisk, and overwhelmed call centers with DoS attacks. ‍ However, it is less widely reported that the attackers allegedly alsobricked at least 16 serial-to-Ethernet convertersresponsible for telecontrol between SCADA servers and remote substations. Bricking these converters, similar to2025 attack in Poland, meant process operators could no longer remotely reset opened circuit breakers and instead had to dispatch personnel to manually reset them at the substation locations themselves. Some reports state that all affected converters required physical replacement after restoration attempts failed. The affected device models in question,Moxa UC 7408-LX-Plusand theiRZ RUH2 3G,both suffered from vulnerabilities that allowed authenticated users to push malicious, unsigned firmware(CVE-2016-4500,CVE-2016-2309). ‍ According to some product notes, firmware upgrades for the Linux-based Moxa UC 7408-LX-Plus devices can take place through a combination of UART commands over a serial link and an Ethernet-based TFTP connection which is unlikely to have been the attack vector given that this requires triggering from serial interface. Alternatively, the user manual suggests retrieving firmware updates via FTP from a Telnet or SSH shell on the serial converter itself and then using the upfirm command to perform a firmware update. Given that this is a straightforward embedded Linux device, the most likely attack vector taken was probably an attacker abusing default credentials, sniffing credentials over Telnet, or exploiting one of the myriad remote code execution vulnerabilities in this Moxa device and subsequently either abusing native firmware update commands or just corrupting block devices directly. ‍ The iRZ RUH2 3G is similarly Linux-based and has the ability to push firmware updates via its web interface, though SSH shell access is possible too - suggesting an attack vector very similar to the Moxas. ‍ Predatory Sparrowis a highl...